Issue #7280: CA less IPA install with external certificates fails on RHEL 7 in FIPS mode - freeipa

freeipa

#7280 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode

Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1514163

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

FIPS enabled rhel 7.4 server

Customer is trying to install IPA server with externally signed certs, and it
fails with below error.

2017-10-31T18:26:34Z DEBUG The ipa-server-install command failed, exception:
ScriptError: No server certificates found in
/etc/pki/Identity_Management/temp/knoidm01-http-Complete.cer,
/etc/pki/Identity_Management/BA-CA02.org.test_ForestDV01.crt

But when tested after disabling FIPS mode installation succeeded.

Version-Release number of selected component (if applicable):


How reproducible:
On RHEl with fips always.

Steps to Reproduce:
1. Configure the server in fips mode (https://access.redhat.com/solutions/137833)
2. Obtain server certificates for LDAP and HTTP server (for instance using makepki.sh tool available at https://github.com/freeipa/freeipa-tools)
3. run ipa-server-install --http-cert-file=server.crt --http-cert-file=server.key --dirsrv-cert-file=server.crt --dirsrv-cert-file=server.key --external-cert-file=ca.crt --no-pkinit ...


Actual results:
The installation fails.

Expected results:
ipa-server-install should succeed.

Additional info:
The workaround is to provide a p12 file instead of the cert/key files:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt
and use this p12 in ipa-server-install:
ipa-server-install --http-cert-file=server.p12 --dirsrv-cert-file=server.p12 --no-pkinit ...

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1514163

6 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

6 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1333

6 years ago

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.6)

6 years ago

frenaud commented 6 years ago

master:

19138c5 Fix ca less IPA install on fips mode

frenaud commented 6 years ago

ipa-4-6:

ba25408 Fix ca less IPA install on fips mode

frenaud commented 6 years ago

ipa-4-5:

4a09a49 Fix ca less IPA install on fips mode

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

frenaud

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.5.5

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/1333

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1514163

tester

None

changelog

None

design

None

freeipa

Source Code

#7280 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Metadata

#7280 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode

Closed: fixed 6 years ago Opened 6 years ago by frenaud.